Feeds

Paper clip attack skewers Chip and PIN

Tapping up

The Power of One eBook: Top reasons to choose HP BladeSystem

Updated UK researchers have uncovered a serious flaw in the Chip and PIN machines that authenticate debit and credit card transactions.

Two of the most popular PIN entry devices (PED) in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a "tapping attack", using nothing more sophisticated than a paper clip, a needle and a small recording device.

This basic kit enabled University of Cambridge Computer Labs researchers to record data exchanged between a card and the device's processor without triggering tamper-proofing mechanisms. The devices analysed by the team were borrowed from merchants, but they can also be purchased online for as little as $20.

In a technical paper (PDF) the researchers explain that in both PIN entry devices they examined the secure storage for cryptographic keys is well protected. However, in each case it is possible to tap the data line between the card and the PIN Entry device's processor. The data exchanged on this line is not encrypted so the problem becomes one of getting physical access to the link and of hiding this covert snooping.

The Ingenico PED includes 1mm holes that provide access to a printed circuit board using a bent paper clip. "This can be inserted through a hole in the plastic surrounding the internal compartment, and does not leave any external marks," the Cambridge researchers explain. Handily the Ingenico PED provides a concealed compartment designed for the insertion of optional SIM-sized cards to expand its functionality. The compartment is not intended to be tamper-proof and provides a concealed compartment to hide the wiretap, if not direct access to the circuit board.

The Dione PED does not provide a concealed compartment to hide the wiretap, but is still vulnerable. The Cambridge researchers drilled a 0.8mm hole from the rear, through which they inserted a 4 cm needle into a flat ribbon connector socket. A thin wire connection from this link and interfaced by a small board could be used to send entered data to a laptop.

The Cambridge researchers conclude that the attack is far easier to pull off than the banking industry claims.

What should have required $25,000 needed just a bent paper clip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice. A small FPGA or microcontroller board with some non-volatile memory can easily fit inside the Ingenico PED’s compartment and record transaction details without the cardholder’s knowledge, while a wire routed from the back of a mounted Dione PED to a recorder under the counter will not be detected unless the cardholder conducts a very close inspection – and knows what to look for.

The recording circuit can be very small and either battery operated or attached to the PED’s power supply; with a full transaction requiring about 1 kB of storage, even a small memory can record thousands of transactions. Detecting such a tap from within the PED is extremely difficult, since high input impedance probes do not significantly distort signals, and proper termination suppresses reflections.

"This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED," the Cambridge researchers note.

A demo of the attack (video here) featured on UK news programme Newsnight on Tuesday.

It gets worse. To ensure backward compatibility, PIN entry devices read data on magnetic strips, as well as on chips on newer credit cards. Hackers tapping into the link between a card and the processing device could get all the data needed to make a cloned card. Add in the corresponding PIN, and fraudsters could withdraw cash at the many ATMs overseas not upgraded to read chips and therefore solely reliant on easily-fakeable magnetic stripes.

Tampered PIN entry devices have already been used for fraud. Last December, £80,000 was stolen from 1,500 people in Leicestershire when crooks cloned their cards using a doctored device in a local petrol station.

The process to determine PIN reader security is substandard, the Cambridge team argues. Evaluation should be more open and defective devices should be refused certification, they say..

The Cambridge Chip and PIN scenarios pose little threat in the real world, according to APACS, the banking association which spearheaded the introduction of Chip and PIN in the UK. "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out," a spokesman said.

Ross Anderson, a member of the research team and professor of security engineering at Cambridge, said: "The lessons we learned are not limited to banking. Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities. Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."

The Cambridge team presents its findings in full in May at the IEEE Symposium on Security and Privacy conference in Oakland, California. Anderson's colleagues are Saar Drimer and Steven Murdoch. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.